How does Hydra work?
Hydra is a brute force password cracking tool. In information security (IT security), password cracking is the methodology of guessing passwords from databases that have been stored in or are in transit within a computer system or network. A common approach, and the approach used by Hydra and many other similar pentesting tools and programs is referred to as Brute Force. We could easily do a Concise Bytes on ‘Brute Force Hacking’ but since this post is all about Hydra let’s place the brute-force attack concept within this password-guessing tool.
Brute force just means that the program launches a relentless barrage of passwords at a log in to guess the password. As we know, the majority of users have weak passwords and all too often they are easily guessed. A little bit of social engineering and the chances of finding the correct password for a user are multiplied. Most people (especially those non-IT savvy, will base their ‘secret’ passwords on words and nouns that they will not easily forget. These words are commonly: loved ones, children’s names, street addresses, favorite football team, place of birth etc. All of this is easily obtained through social media so as soon as the hacker has compiled this data it can be compiled within a ‘password list’.
Brute force will take the list that the hacker built and will likely combine it with other known (easy passwords, such as ‘password1, password2′ etc) and begin the attack. Depending on the processing speed of the hackers (auditors) computer, Internet connection (and perhaps proxies) the brute force methodology will systematically go through each password until the correct one is discovered.
It is not considered as being very subtle – but hey it works!
Hydra is considered as being one of the better ones out there and it certainly worth your time as a security professional or student to give it a try.
By Henry Dalziel
Information Security Blogger
Video by MetaThrunks